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Introduction 


Lack  of  security  and  privacy  are  two  very 
common  problems  facing  those  involved  with 
computers  today.  Many  people  in  the  computer 
business  are  simply  not  aware  of  or  are 
apathetic  to  ADP  (automated  data  processing) 
security  and  privacy  matters. 

Loss  of  security  and  privacy  is.  however,  a 
very  real  threat  in  today's  highly  automated 
world.  Without  strict  security  and  privacy 
regulations,  data  could  be  lost,  stolen,  or 
manipulated.  Since  much  modern  data  are 
beginning  to  be  stored  in  ADP  systems,  misuse, 
mismanagement,  or  just  plain  carelessness  could 
result  in  major  problems  for  a  great  number  of 
people. 

Some  security  can  be  built  into  ADP  hardware 
and  software  during  the  developmental  phase, 
but.  at  the  present  time,  no  system  is 
completely  secure.  It  is  the  responsibility  of 
computer  users/custodians  to  maintain  a  higfv« 
level  of  security  and  privacy  for  all  computer 
files. 


Because  of  the  obvious  lack  of  awareness 
concerning  security  and  privacy,  the  following 
questions  need  to  be  answered: 

1.  What  do  the  terms  "security"  and 
"privacy"  mean  when  used  in  connection 
with  ADP  hardware  and  software? 

2.  What  happens  when  there  is  a  lack  of 
security?  of  privacy? 

J.  What  are  some  of  the  causes  of  this  lack 
of  security  and  privacy? 

4.  Who  has  the  ultimate  responsibility  for 
maintaining  security  and  determining 
privacy  requirements? 

I>.  What  are  some  of  the  possible  solutions 
for  these  problems? 
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Security— What  Is  It? 


Affording  to  Webster  seiuritv  is  a  slate  ot 
being  or  reeling  set  ure:  freedom  from  tear 
anxiety  danger,  doubt  eti .  It  is  also  a  stale  or 
sense  ot  satetv  or  lertamtv. 


How  Does  Security  Relate  to  ADP  Systems? 


in  order  to  have  a  senate  ADI*  system  only 
those  with  a  necd-to-know  should  have  access 
to  data  security  also  means  that  data  m  ADP 
systems  should  be  rorrett  and  their  integrity 
intact.  In  other  words  seiuritv  reters  to  the 
pioteition  ot  resources  trom  damage  and  the 
protection  ot  data  against  accidental  or 
intentional  disclosure  or  unauthori/ed 
modification  or  destruction 


What  Are  ADP  Systems? 


!  Its  physic  al  envirr  mment 
_  i’eopie  dealing  with  the  system 
i  c  ommuniiations 
4  Polities  and  ptoi  enures 
>  Hardware  and 
n.  software 


Why  Is  Security  Such  a  Problem? 


seiuritv  in  ADP  systems  is  hemming  a 
problem  in  direit  proportion  to  the  iih  (ease  m 
thi“  number  of  tompulef  systems  beicmirig 
available  ( )ne  major  reason  i  omtniters  ta<  e 
seiuritv  problems  is  iieiause  tnev  are  unateu  m 
.t  hostile  environment  suili  vuineiatiilitv  stems 
trom  the  following  ta<  too 

!  t  omnlesitv 
J.  speed  ot  operation 
t  \  ast  amounts  ot  data 
4  Inadequate  audit  trails 
s.  I elei ommuniiations 
t>  Complicated  operating  systems,  and 
1  .ii k  ot  understanding  about  seiuritv 
aspei  ts. 


Automated  data  pioiessmg  systems  aie 
primarily  but  not  solely,  computer*.  An  ADP 
system  is  essentially  made  up  ot  six  elements 


The  security  aspects  of  ADP  systems  tan  be 
defined  as: 

1.  Large  scale  data  bases  containing  sensitive 
information, 

2.  Remote  access  considerations, 

I  Constant  growth  in  numbers  of  users,  and 

4.  Increase  in  numbers  of  personnel  with 
technical  knowledge  required  to  access 
computer  systems. 

Why  Are  Security  Problems  on  the  Rise? 

In  today's  complex  world  there  is  an 
increased  dependency  upon  computer  systems 
for  critical  and  sensitive  applications. 

Dependency  also  stems  from  a  lack  of  manual 
back  up  systems  and  inadequate  i  ontingencv 
planning. 

Although  there  is  an  increased  dependency 
upon  computers,  there  has  hi  en  apathv  or  a 
lack  of  awareness  concerning  security  because 
ot  work  exigencies,  them  is  also  the1  matter  ot 
limited  resources  'hat  require  careful 
c  onsideration  ot  ;•:!■>•  itios 

In  other  words  because  ot  the-  great  demand 
tor  last,  efficient  computer  services,  securitv  has 


not  been  completely  and  competently 
maintained. 

Are  There  Any  Other  Security  Problems? 

In  addition  to  the  vulnerabilities  produced  as 
a  by-product  of  the  computer  industry  growth, 
there  are  certain  very  real  threats  to  security 
including: 

1.  Natural  hazards 

•  Fire, 

•  Flood. 

•  Severe  storm, 

•  Failure  of  electrical  power  (e  g.,  air 
conditioning), 

•  Communications  failure,  and 

•  System  failure. 

2.  Accidental  errors,  omissions,  or  failures 

•  User  errors. 

•  Operator  errors. 

•  Data  preparation  errors, 

•  Application  program  errors, 

•  Output  errors 

•  System  errors. 

•  Communication  errors,  and 

•  Inadvertent  release  of  sensitive 
information. 
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What  Can  Be  Done  About  Such  Threats? 


It  would  In'  difficult  it  not  impossible,  to 
prevent  natural  hazards.  However,  accctdental 
omits  omissions  or  failures,  and  deliberate 
i  omimter  ahuses  are  problems  that  can  he  kept 
to  a  minimum  with  proper  maintenance  and 
su’veillam  e  Although  set  lint v  should  he  built 
min  a  system  no  svstem  can  lie  reallv  secure 
unless  the  user  makes  it  set  lire  to  put  this 
unothei  wav  ti"  mattei  how  mam  security 
gadgets  are  Used  a  sec  ure  svstem  is  no  better 
than  the  person  using  it  Sei  untv  must  he  a 
personal  matter  with  esers  computer  operator 
and  user  m  older  |o  nave  a  signitii  ant  impai  t 


Who  Is  Actually  Responsible  for  Security? 


It  is  the  responsibility  of  the  system  designers 
and  manutac  Hirers  to  build  security  into  an  ADI’ 
system.  Users  have  the  responsibility  to  maintain 
a  caretui  watch  on  their  security  practices. 
Management  is  also  responsible  since  they 
should  set  up  security  requirements  and 
regulations  ior  their  employees.  In  addition,  the 
vendors  and  users  should  work  together  to 
determine  w  ho  is  responsible  for  what 
computer  security  function. 

It  should  he  kept  in  mind,  though,  that  when 
a  security  system  is  being  set  up,  requirements 
and  regulations  should  be  easily  understood  and 
workable1  Too  much  restriction  and  too  much 
regulation  are  as  bad  as  too  little  of  either  one. 
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What  Roles  Do  Management  and  Users 
Play  in  Security  Problems? 


In  most  cases,  management  plays  a  key  role 
in  the  problems  associated  with  security.  In 
general,  most  managers  are  mission-oriented. 
They  are  more  concerned  with  the  ultimate 
product  than  with  the  production  process. 
Management  has  recently  become  more  aware 
of  the  critical  problems  associated  with 
computer  security  and  they  are  taking  strong 
measures  to  resolve  those  problems. 

Individual  users  also  have  problems  with 
security.  There  seems  to  be  a  lack  of  concern 
with  regard  to  system  security.  The  user  has  a 
tendency  to  view  a  computer  as  |ust  another 
inanimate  object,  and  yet,  this  inanimate  object 
still  presents  a  challenge  to  him.  In  most  cases, 
a  user  will  not  consider  computer  abuse  (on  a 
small  scale)  a  crime.  Computer  system  users  can 
also  be  lax  about  reporting  known  security 
violations  because  they  don't  realize  that  it  can 
jeopardize  their  own  security. 


There  is  also  another  problem  regarding  user 
security.  Many  computer  users  feel  that  the 
classification  of  data  is  the  responsibility  of 
those  involved  with  computer  operation  rather 
than  that  of  computer  users.  In  fact, 
classification  rests  in  the  hands  of  subject  matter 
specialists,  not  computer  operations  people. 

Today  s  computer  world  is  marked  by  rapid 
growth  and  extension  of  applications,  continued 
growth  in  the  numbers  of  systems  (especially 
mini-  and  micro-computers),  and  large  increases 
in  the  numbers  of  people  involved  in  data 
processing.  In  such  an  environment, 
management  s  lack  of  involvement  and  users' 
apathy  serve  only  to  compound  the  ADP 
security  problem. 
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Privacy— What  Is  It? 

Webster  defines  privaty  as  the  quality  or 
londition  of  being  private  withdrawal  from 
publK  v lew  nr  tompanv;  seclusion:  secret  y.  It 
i  an  also  be  ones  private  nr  personal  affairs. 

How  Does  Privacy  Relate  to  ADP 
Systems? 

last  dI  a’l  one  must  realize  the  amount  ot 
sensitive  personal  data  tl'.at  is  stored  in  today  s 
lomptiters  A  persons  entire  history  is  rei  orded 
ntluclaig  tauimal  data,  medn  ,il  terords,  military 
■lies  and  so  ‘noli  A.".  .A I 'I'  system  bnnmi's  a 
sti rrel'.oiise  >•  .aluable  hut  it:  many  rases.  very 
private  int  im  ation.  i'riya.i  •.  then  refers  io  the 
ughts  oi  aii !■ . sluais  and  organizations  to 
determine  tor  themselves  when  him  and  to 
■  vital  evtent  intoimation  about  them  is  to  he 
transmitted  to  otheis  I'nvaiy  is  an  issue  that 
gi  ies  tar  he\i  mil  u  imputer  i  enters  and  <  an  he 
’bought  ot  as  a  people  problem  sinr  e  people 
m  il  mai  bines,  alter  t  it 


Who  Could  Gain  from  Use  of  Personal 
Data? 


A  person  who  g, lined  at  cess  to  data  tiles 
without  a  neerl  to-know  tould  cause  mam 
problems,  not  only  tor  the  private  oli/en  hut  !i 
'ilhers  as  well.  He  or  she  tould.  tor  example 

1  Manipulate  rlata 

J.  Modify  falsity  data 

C  At  quire  proprietary  information  and 
programs 

4  Alter  storetl  programs 
A.  Change  master  files, 
tv  An  ess  passwords  algorithms  oi 
Deny  authorized  art  ess. 

In  other  words  someone  tould  deliberately 
abuse  computer  tiles  to  .liter  l  many  aspetts  ot 
person  s  life  sin  ir  as  his  t  rndit  rating, 
employment  records  even  his  tommunitv 
standing. 


Has  Anything  Been  Done  to  Prevent  Such 
Acts? 


Congress  passed  the  'Privacy  Act  of  1974" 
whic  h  sets  up  certain  guidelines  regarding 
privacy  and  data  stored  in  computers  and 
manual  files.  In  essence.  Congress  recognized 
that  a  person  does  have  a  right  to  privacy, 
including  privacy  with  regard  to  personal  files. 
However,  there'  arc1  instances  when  such  files 
would  he  made  available  to  authorized  persons 
upon  request 

What  Are  the  Custodian's  Responsibilities 
Concerning  Privacy? 

The  c  ustodian  has  a  responsibility  to 
determine*  information  necessary  when  a 
request  has  been  received  for  file  information 
The1  accuracy  standards  should  also  be 
determined,  along  with  identification  of 
protection  requirements,  and  the  establishment 
ot  th(>  sensitivity  ot  requested  information. 


The  custodian  should  also  determine  how  the 
use  of  the  information  requested  could 
adversely  affect  the  particular  individual 
involved.  He  can  do  this  by  considering  the 
following  criteria: 

1.  What  is  adversef 

2.  What  data  are  vital? 

T  What  should  be  done  if  vital  information 
is  in  error? 

4.  What  should  be  done  if  vital  information 
is  disputed? 

5.  What  should  bo  done  if  vital  information 
is  missing? 

h.  How  much  impact  will  an  error  correction 
have  on  a  system? 

A  determination  should  also  be  made  as  to 
the  "neod-to-know . 


Summary  of  ADP  Security/Privacy 
Problems 


What  Can  Be  Done? 


? 
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The  typical  problem  areas  with  regard  to 
computer  security  are  as  follows: 

1 .  Insufficient  emphasis  on  computer 
security  (i.e..  inadequate  security 
planning, contingency  planning), 

2.  tack  of  vulnerability  threat. risk 
assessment, 

f.  lack  of  management  involvement  in 
<  omputer  security  issue's,  and 

•f  Lack  of  protection  against  natural 
disasters. 

Computer  pnvac  y  problems  inc  lude 

1  Manipulation  of  data  (modification  or 
falsification). 

2.  Acquisition  of  proprietary  information 
without  a  "need-to-know."  and 

T.  Unauthorized  acquisition  of 
passwords.' algorithms. 


Security  and  privacy  are  two  very  important 
facets  that  a  society,  which  is  fast  becoming 
automated,  has  to  take  into  ac  count  Although 
many  things  contribute  to  a  lack  or  loss  of 
security  and  privacy,  the  main  ingredients  in 
any  security  or  privacy  problem  are  the  people 
involved  with  the  systems.  To  most  people, 
security  and  privacy'  are  nebulous  terms,  and 
rather  than  learn  all  the  rules  and  regulations 
concerning  them,  they  choose  to  he  apathetic  . 
In  order  for  society  to  have  an  effective  and 
efficient  computerized  network,  not  only  the 
systems  themselves,  but  also  all  of  the  people 
involved  with  them,  must  be  geared'  toward 
maintaining  security  and  privacy  Security  and 
privacy  measures  cannot  be  looked  upon  as 
unimportant  or  not  pertinent,  but  must  become 
an  integral  part  of  the  computer  environment. 


I  Ins  booklet  was  prepared  hy  the  Computer  Sciences 
Department  to  promote  awareness  of  computer 
sec  untv  and  privacy  problems. 

I  lie  C  omputer  sciences  Department  wishes  to 
acknowledge  the  excellent  response  and  assistance 
provided  bv  Mr.  I  Bonas.  Graphics  Branch,  and  Mr.  W 
I  (  onlorti,  technical  Writing  Branch,  in  planning  this 
publication  Apprec lation  is  also  extended  to  Mr.  I).  \V. 
Iitton.  t jraiahtc s  Branch,  tor  conceiving  and  preparing 
the  artwork:  to  Ms.  P.  A  Ellis.  Technical  Writing 
Branch,  tor  coordinating  and  writing  the  booklet:  and 
to  Mr.  I.  t.  Neville.  ]r. ,  Programming  and  Computer 
Operations  Branch,  tor  his  ideas  and  guidance. 

Questions  and  comments  concerning  the  contents  of 
this  booklet  should  be  directed  to  Mr.  J.  R.  Babiec 
(Code'  44  i). 


Naval  Underwater  System^  Center 

Technical  Document^  y'SO 

hit  nithh<  tt'U\t\r,  aistnbulmn  ttnhmtl*' d 
i  \uuuu 


(y  QcikU- 


/  u'  ,  7  v  ~  * 

T.  A.  Galib 

tlr.nl  <  <  v  ii'iii  in  l  h'p.rtnu':} ( 


